0x1A Great Papers in Computer Security

Transcription

1 CS 380S 0x1A Great Papers in Computer Security Vitaly Shmatikov slide 1

2 Web Applications Big trend: software as a Web-based service Online banking, shopping, government, bill payment, tax prep, customer relationship management, etc. Cloud computing Applications hosted on Web servers Written in a mixture of PHP, Java, Perl, Python, C, ASP Security is rarely the main concern Poorly written scripts with inadequate input validation Sensitive data stored in world-readable files Recent push from Visa and Mastercard to improve security of data management (PCI standard) slide 2

3 Typical Web Application Design Runs on a Web server or application server Takes input from remote users Interacts with back-end databases and third parties Prepares and outputs results for users Dynamically generated HTML pages Content from many different sources, often including users themselves Blogs, social networks, photo-sharing websites slide 3

4 Dynamic Web Application Browser GET / HTTP/1.0 HTTP/ OK Web server index.php Database server slide 4

5 PHP: Hypertext Preprocessor Server scripting language with C-like syntax Can intermingle static HTML and code <input value=<?php echo $myvalue;?>> Can embed variables in double-quote strings $user = world ; echo Hello $user! ; or $user = world ; echo Hello. $user.! ; Form data in global arrays $_GET, $_POST, slide 5

6 SQL Widely used database query language Fetch a set of records SELECT * FROM Person WHERE Username= Vitaly Add data to the table INSERT INTO Key (Username, Key) VALUES ( Vitaly, 3611BBFF) Modify data UPDATE Keys SET Key=FA33452D WHERE PersonID=5 Query syntax (mostly) independent of vendor slide 6

7 Sample Code $selecteduser = $_GET['user']; $sql = "SELECT Username, Key FROM Key ". "WHERE Username='$selecteduser'"; $rs = $db->executequery($sql); What if user is a malicious string that changes the meaning of the query? slide 7

8 SQL Injection: Basic Idea Victim server Attacker 1 3 receive data from DB 2 unintended query This is an input validation vulnerability Unsanitized user input in an SQL query to backend database changes the meaning of query Specific case of command injection Victim SQL DB slide 8

9 Typical Login Prompt slide 9

10 User Input Becomes Part of Query Enter SELECT passwd Username FROM USERS Web browser (Client) and Password Web server WHERE uname IS $user DB slide 10

11 Normal Login Enter SELECT passwd Username FROM USERS Web browser (Client) and Password Web server WHERE uname IS smith DB slide 11

12 Malicious User Input slide 12

13 SQL Injection Attack SELECT passwd Web browser (Client) Enter Username and Password Web server FROM USERS WHERE uname IS ; DROP TABLE USERS; -- DB Eliminates all user accounts slide 13

14 Exploits of a Mom slide 14

15 Authentication with Back-End DB set UserFound=execute( SELECT * FROM UserTable WHERE username= & form( user ) & AND password= & form( pwd ) & ); User supplies username and password, this SQL query checks if user/password combination is in the database If not UserFound.EOF Authentication correct else Fail Only true if the result of SQL query is not empty, i.e., user/pwd is in the database slide 15

16 Using SQL Injection to Log In User gives username OR 1=1 -- Web server executes query set UserFound=execute( SELECT * FROM UserTable WHERE username= OR 1=1 -- ); Always true! Everything after -- is ignored! Now all records match the query, so the result is not empty correct authentication! slide 16

17 Another SQL Injection Example To authenticate logins, server runs this SQL command against the user database: SELECT * WHERE user= name AND pwd= passwd User enters OR WHERE pwd LIKE % as both name and passwd Server executes SELECT * WHERE user= OR WHERE pwd LIKE % AND pwd= OR WHERE pwd LIKE % [From The Art of Intrusion ] Wildcard matches any password Logs in with the credentials of the first person in the database (typically, administrator!) slide 17

18 Pull Data From Other Databases User gives username AND 1=0 UNION SELECT cardholder, number, exp_month, exp_year FROM creditcards Results of two queries are combined Empty table from the first query is displayed together with the entire contents of the credit card database slide 18

19 More SQL Injection Attacks Create new users ; INSERT INTO USERS ( uname, passwd, salt ) VALUES ( hacker, 38a74f, 3234); Reset password ; UPDATE USERS SET =hcker@root.org WHERE =victim@yahoo.com slide 19

20 Second-Order SQL Injection Second-order SQL injection: data stored in database is later used to conduct SQL injection For example, user manages to set uname to admin -- This vulnerability could exist if string escaping is applied inconsistently (e.g., strings not escaped) UPDATE USERS SET passwd= cracked WHERE uname= admin -- why does this work? Solution: treat all parameters as dangerous slide 20

21 CardSystems Attack (June 2005) CardSystems was a major credit card processing company Put out of business by a SQL injection attack Credit card numbers stored unencrypted Data on 263,000 accounts stolen 43 million identities exposed slide 21

22 SQL Injection in the Real World Oklahoma Department of Corrections divulges thousands of social security numbers (2008) Sexual and Violent Offender Registry for Oklahoma Data repository lists both offenders and employees Anyone with a web browser and the knowledge from Chapter One of SQL for Dummies could have easily accessed and possibly, changed any data within the DOC's databases" slide 22

23 Attack on Microsoft IIS (April 2008) slide 23

24 Main Steps in April 2008 Attack Use Google to find sites using a particular ASP style vulnerable to SQL injection Use SQL injection to modify the pages to include a link to a Chinese site nihaorr1.com Do not visit that site it serves JavaScript that exploits vulnerabilities in IE, RealPlayer, QQ Instant Messenger Attack used automatic tool; can be configured to inject whatever you like into vulnerable sites There is some evidence that hackers may get paid for each victim s visit to nihaorr1.com slide 24

25 Part of the SQL Attack String varchar(255) DECLARE Table_Cursor CURSOR FOR select a.name,b.name from sysobjects a,syscolumns b where a.id=b.id and a.xtype='u' and (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167) OPEN Table_Cursor FETCH NEXT FROM Table_Cursor WHILE(@@FETCH_STATUS=0) BEGIN exec('update ['+@T+'] set ['+@C+']=rtrim(convert(varchar,['+@C+']))+' ''') FETCH NEXT FROM Table_Cursor END CLOSE Table_Cursor DEALLOCATE Table_Cursor; DECLARE%20@S%20NVARCHAR(4000);SET%20@S=CAST( %20AS%20NVARCHAR(4000));EXEC(@S);-- slide 25

26 Preventing SQL Injection Input validation Filter Apostrophes, semicolons, percent symbols, hyphens, underscores, Any character that has special meanings Check the data type (e.g., make sure it s an integer) Whitelisting Blacklisting bad characters doesn t work Forget to filter out some characters Could prevent valid input (e.g., last name O Brien) Allow only well-defined set of safe values Set implicitly defined through regular expressions slide 26

27 Escaping Quotes For valid string inputs use escape characters to prevent the quote becoming part of the query Example: escape(o connor) = o connor Convert into \ Only works for string inputs Different databases have different rules for escaping slide 27

28 Prepared Statements Metacharacters such as in queries provide distinction between data and control In most injection attacks data are interpreted as control this changes the semantics of a query or a command Bind variables:? placeholders guaranteed to be data (not control) Prepared statements allow creation of static queries with bind variables preserves the structure of intended query slide 28

29 Prepared Statement: Example PreparedStatement ps = db.preparestatement("select pizza, toppings, quantity, order_day " + "FROM orders WHERE userid=? AND order_month=?"); ps.setint(1, session.getcurrentuserid()); ps.setint(2, Integer.parseInt(request.getParamenter("month"))); ResultSet res = ps.executequery(); Bind variable (data placeholder) Query parsed without parameters Bind variables are typed (int, string, ) slide 29

30 Parameterized SQL in ASP.NET Builds SQL queries by properly escaping args Replaces with \ SqlCommand cmd = new SqlCommand( SELECT * FROM UserTable WHERE username AND password dbconnection); Request[ user ] ); Request[ pwd ] ); cmd.executereader(); slide 30

31 G. Wassermann and Z. Su Sound and Precise Analysis of Web Applications for Injection Vulnerabilities (PLDI 2007) slide 31

32 Wassermann-Su Approach Focuses on SQL injection vulnerabilities Soundness Tool is guaranteed to find all vulnerabilities Precision Models semantics of sanitization functions Models the structure of the SQL query into which untrusted user inputs are fed slide 32

33 Essence of SQL Injection Web app provides a template for the SQL query Attack = any query in which user input changes the intended structure of SQL query Model strings as context-free grammars (CFG) Track non-terminals representing tainted input Model string operations as language tranducers Example: str_replace(,, $input) A matches any char except slide 33

34 Phase One: Grammar Production Generate annotated CFG representing set of all query strings that program can generate Direct: data directly from users (e.g., GET parameters) Indirect: second-order tainted data (means what?) slide 34

35 String Analysis + Taint Analysis Convert program into static single assignment form, then into CFG Reflects data dependencies Model PHP filters as string transducers Some filters are more complex: preg_replace( /a([0-9]*)b/, x\\1\\1y, a01ba3b ) produces x0101yx33y Propagate taint annotations slide 35

36 Phase Two: Checking Safety Check whether the language represented by CFG contains unsafe queries Is it syntactically contained in the language defined by the application s query template? This non-terminal represents tainted input For all sentences of the form 1 GETUID 2 derivable from query, GETUID is between quotes in the position of an SQL string literal (means what?) Safety check: Does the language rooted in GETUID contain unescaped quotes? slide 36

37 Tainted Substrings as SQL Literals Tainted substrings that cannot be syntactically confined in any SQL query Any string with an odd # of unescaped quotes (why?) Nonterminals that occur only in the syntactic position of SQL string literals Can an unconfined string be derived from it? Nonterminals that derive numeric literals only Remaining nonterminals in literal position can produce a non-numeric string outside quotes Probably an SQL injection vulnerability Test if it can derive DROP WHERE, --, etc. slide 37

38 Taints in Non-Literal Positions Remaining tainted nonterminals appear as nonliterals in SQL query generated by the application This is rare (why?) All derivable strings should be proper SQL statements Context-free language inclusion is undecidable Approximate by checking whether each derivable string is also derivable from a nonterminal in the SQL grammar Variation on a standard algorithm slide 38

39 Evaluation Testing on five real-world PHP applications Discovered previously unknown vulnerabilities, including non-trivial ones Vulnerability in e107 content management system: a field is read from a user-modifiable cookie, used in a query in a different file 21% false positive rate What are the sources of false positives?

40 Example of a False Positive slide 40